Attacker Value
Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-0655

Disclosure Date: February 11, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Add Assessment

4
Ratings
Technical Analysis

A vulnerability exists within PathCchCanonicalize that can be leveraged by a malicious RDP server to write files on a connected RDP client system. The vulnerability is related to how forward and back slash characters are processed and is related to the older CVE-2019-0887 in the sense that this vulnerability is a bypass for the mitigation which it introduced.

Exploiting this vulnerability would involve an attacker configuring a malicious RDP server and then tricking a client to connect to it, authenticate to it and then initiate a copy and paste operation from the malicious server to their client system.

CVSS V3 Severity and Metrics
Base Score:
8.0 High
Impact Score:
5.9
Exploitability Score:
2.1
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation),
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Server, version 1909 (Server Core installation)

Additional Info

Technical Analysis